Timing Attack. How Intelligence Agencies De-anonymize Messenger Users.

Imagine a situation: you are an intelligence officer, and your task is to identify a particularly dangerous criminal engaged in blackmail, who appears online periodically and only to transmit data. For his criminal activities, he has set up a separate laptop, from which he has "cut out" the microphone, speakers, and camera. A reasonable decision, considering that speakers can also listen.

He uses Tails as his operating system, although for maximum anonymity he should have chosen Whonix. In any case, all traffic goes through Tor; he does not trust VPN, and for working in the Darknet he still needs Tor.

For communication, he uses Jabber with PGP encryption; he could have installed Telegram, but that’s a representative of the old school of criminals. Even if you have access to the Jabber server, you will only be able to obtain encrypted data and Tor IP addresses. This is useless information.

The criminal operates on the principle of "silence is golden"; he won’t say anything unnecessary and won’t open any links or files. It is only known that he must be in the same country as you. It would seem that there is no chance of establishing his identity, but this is an illusion; his identity can be established despite all the measures he takes.

The described case is ideal for applying a timing attack via the messenger. The first thing needed is a program that will track and record all the user's logins and logouts. When he appears online, the system immediately marks the time; when he leaves, the system records the time of exit.

The log looks something like this: